Thursday, May 25, 2017

The LinkedIn, Dropbox, and Formspring Hacker: Yevgeniy Nikulin

Yevgeniy Nikulin is a potent Russian hacker responsible for major breaches including Linkedin, Dropbox and Formspring, as well as less known funds theft from a Bitcoin hedge fund and from individuals. After his arrest in Prague, Russia filed its own extradition request to fight the one from the US. There are unconfirmed allegations that Nikulin may have some insights on the 2016 Presidential Elections related hacking. Nikulin is a high-skilled dangerous hacker. While the true nature of his connections to the Russian government is unproven, it is possible that it prompted the legal help that he is getting...READ MORE

Wapack Labs has cataloged and reported extensively on hackers in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Tor-base Site Operates Illegal Sales Under AES 256-bit Encryption

Wapack Labs discovered a Tor-based website conducting illegal financial sector activities; ranging from carding and counterfeit money to electronics and narcotics. The site, which requires no registration, claims that the forum is totally anonymous and highly secure; largely in part to encrypting all data with AES 256-bit encryption. The site provides a multi-signature escrow for all transactions; allowing safe Bitcoin (BTC) transactions between both parties...READ MORE

Wapack Labs has cataloged and reported extensively on Tor-based and carding activities in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Free Online Payment System Credentials: Contact SeƱor

Wapack Labs analysts exposed a threat to the financial sector, one who is actively posting in several clear web and underground forums. Within these forums, the actor creates threads of free, downloadable log-in credentials, for an online payment system. Analysts assess that it is likely that the actor is brute-forcing the accounts to obtain the passwords. A brute force attack is a trial and error method used by application programs to decode encrypted data such as passwords - highly effective if the account uses simple passwords. The language, emails, and passwords indicate that the actor is a Spanish or Portuguese speaker, likely operating in South America...READ MORE

Wapack Labs has cataloged and reported extensively on Spanish speaking, threat actors in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Wednesday, May 24, 2017

#Wannacry & the Virut Botnet


A new variant of Wannacry appears to be making a bad situation worse. Wapack Labs has recently identified a new malware specimen that is 75% similar to Wannacry. Instead of leveraging a “kill-switch” domain, the program uses a combination of several static domains as well as a domain generation algorithm (DGA) so as to bypass network based mitigations. Furthermore, the domains appear to be related to Virut (medium confidence), a cybercrime botnet in operation since 2006. A more detailed analysis on this development is pending.

Indicators:
424b76cb70c037c71e5c8fb14f2b29bbeace23451e8faa29ba78a6b2afd54014
eliors.com
olmbra.com
jlhrcv.com
pidmed.com
dlapgb.com
totoja.com

Wapack Labs has cataloged and reported on Wannacry ransomware in the past.  An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Saturday, May 13, 2017

#WannaCry Update

…For Red Sky Alliance members:

A new #WannaCry report, including malware analysis and discussions of the backdoor are now available for members in the Red Sky Alliance portal. As well, a demonstration of one of the backdoor techniques used yesterday and today are discussed in an April 22nd Red Sky Alliance post by Wapack's JB, entitled "ShadowBrokers EQGRP's FuzzBunch Windows 0day framework - Install, Use, Mitigations." It's a good read.

Friday, May 12, 2017

Equation Group's Exploit is Operating Globally: #WannaCry Ransomware

Wapack Labs is tracking a reported ransomware attack on various countries affecting operations in the health and financial sectors. The malware has been titled: WCry, WannaCry or WanaCrypt0r ransomware. Open source reporting indicates that Russia, Ukraine, Taiwan, Spain, and the United Kingdom are being targeted. CCN-CERT (SP) has confirmed the malware propagates through the leaked Equation Group ETERNALBLUE SMB exploit. Microsoft Security Bulletin MS17-010 details mitigations for this exploit.

Wapack Labs has cataloged and reported extensively on ransomware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Tuesday, May 9, 2017

Nature is Bullet Proof: Dark Cloud

Wapack Labs is researching key components of the Dark Cloud network - including all associated malware to date.  “Dark Cloud” is an infrastructure that encompasses thousands of fast-flux proxy botnets in a ‘bullet proof’ hosting environment, renting thousands of botnets for use in criminal activity to underground users. Roughly 20% of the observed bots were actively leveraged by Dark Cloud. Sality file infector malware was by far the most commonly observed activity and represents a likely propagation mechanism for the botnet...READ MORE

Wapack Labs has cataloged and reported extensively on malware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Saturday, May 6, 2017

What is CTAC?


About two years ago we realized the need to centralize and monitor our logs. With every speaking engagement with small companies, someone —usually more than one someone, will ask "How do you guys do _________?" Well, this week we went live with CTAC. This is how we monitor our logs, and as of today, you can too.

We built CTAC to allow us to monitor our own logs, compare it to our own intelligence collections, and to be able to twist and turn data to our hearts content.

As well, most companies that we talk to are 'all set' with intelligence, but that assumes a few things.. first, it's true that many do have intelligence but it's also true that many companies today, while they do have intelligence, are overwhelmed with it and have no idea what to do with it. Add in vendor noise, a lack of qualified analytic labor, enormous amounts of data, and daily phone calls from folks trying to sell them more. The process can be overwelming!

Our answer? We want to teach you to fish, not just fish for you. 


CTAC is a place where you can mine our raw intelligence collections. We like to think of it as the Bloomberg Terminal for our space —except we can also injest and interact with your data.  Wait, what? Interact with your data? Yes! Push your log data into CTAC and monitor it there.

  • There's no need to buy log aggregation! It's included in your subscription!
  • Intelligence? It's in there!
  • Need support? Hit up my guys through the Red Sky portal or IM! Need more? Buy a few hours!
A natural extension of our Red Sky Alliance information sharing environment, CTAC offers tools, training, help when needed, and it scales as big as you need.

Having 800-171 issues? Monitor the cyber threat intelligence for your suppliers, partners, and third parties. We'll help you set up the dashboard! It's easy!

Need Log Monitoring? Push your data securely to our Elastic stack in CTAC. We're happy to help. We'll monitor it (for a fee of course!), you can monitor it, or we can both monitor it! 

Need more information?  You should schedule a demo! Drop me a note —jeff.stutzman@wapacklabs.com. 






Friday, May 5, 2017

This makes Jeff happy!







This makes me really happy. We wrapped up our last class of interns this week. One vet, one non-vet from Southern NH University where they get three credits for every term spent with us. 

What makes me happy? This is our third set of SNHU interns. We've trained several vets —both from SNHU and the Manchester VA Hospital and this week, when I arrived back in the office on Thursday after having been gone for a couple of weeks, found these outside my office —"What I learned" notes left on the writey boards. 

Do you think they teach Google dorking at SNHU? Any college? Keyloggers? Analyzed intelligence derived from a pile of data?

This group has completed their internship. We've got a couple more working with us through the summer and we'll see a class begin again in September. As well, we're looking for a vet system administrator from the VA, and have already put out the request to the Occupational Transition office. 

Beyond that? We continue to talk with new folks about joining Red Sky… two new companies are going through the process this week!

Keylogging Campaign Affecting Japanese Law Firms 

Wapack Labs, Team Jaeger (TJ) analysts identified four Japanese law firms that were victimized by keylogging malware during research using the Cyber Threat Analysis Center (CTAC). All of the affected firms specialize in patent law. While the malware utilized by the threat actor is unsophisticated, their fraudulent activity is persistent, effective, and has the potential to negatively impact clients of the affected organizations...READ MORE

Wapack Labs has cataloged and reported extensively on keylogging malware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Wednesday, April 26, 2017

Assessing the Multiple Personalities of an APT Actor

Wapack Labs assesses with medium confidence that an identified Advanced Persistent Threat (APT) "group" is actually a lone, nefarious actor using numerous personas. The "group's" forum was rumored to be operated by a foreign military unit and used as a place to re-sell data no longer needed to conduct operations. During the months of March and April 2017, Wapack Analysts observed the lone actor's activities across multiple underground forums and were able to tie said activities to aliases used by other group members...READ MORE

Wapack Labs has cataloged and reported extensively on APT's in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Friday, April 21, 2017

Darknet Private Market Selling Hacked Accounts

Wapack Labs is researching an active, darknet actor in a private market. The private market is a multisignature, escrow shopping system based in Europe. The darknet actor is currently advertising breached accounts on their site to include: Paypal, Amazon, Ebay, and Venmo, and has a 97.3% positive feedback rating. Banking information from several U.S. banks having accounts with balances of $10,000+ and $20,000+ are offered. The actor is also selling hacked social media accounts like Instagram and Snapchat. Hacked social media accounts are dangerous as they can be used to hide nefarious activity ranging from pranking to obtaining passwords to compromise banks and online retailers.

Wapack Labs has cataloged and reported extensively on carders in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Wednesday, April 19, 2017

Uptick in the Wild: CVE2017-0911

As early as January 2017, cyber threat actors began using a then zero-day MS Office remote code execution exploit for CVE-2017-0199 in targeted attacks. Large scale Dridex campaigns occurred shortly following the vulnerability disclosure in April. Like many other Office vulnerabilities, CVE-2017-0199 has been exploited by multiple actors including cyber criminals and nation-state actors alike. Recent activity indicates the continued exploitation of this vulnerability...READ MORE

Wapack Labs has cataloged and reported extensively on zero-day exploits in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

Tuesday, April 18, 2017

Shamoon2 Overwrites and Attacks Saudi Targets


Wapack Labs's research has uncovered Iranian actors using Shamoon2 against Saudi infrastructure and industry targets. Shamoon2 renders infected systems inoperable by overwriting the Master Boot Records (MBR). The actors responsible are using commercially available kernel drivers, which may indicate a lack of experience with Windows kernel development. Though, there is evidence indicating the malware was designed by reverse engineering malware attributed to a nation-state, suggesting that their skills are improving. Further attacks against Saudi-related targets using the Shamoon-family of malware are highly likely...READ MORE

Wapack Labs has cataloged and reported extensively on malware in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

New Kids on the Block

Wapack Labs is researching a new card vendor in the underground going by the name “18th Street Gang Shop” (18SGS). The actual 18th Street Gang is one of the largest youth gangs in the western hemisphere, and has close ties to the Mexican Mafia. It is unclear if the actual street gang is operating this site or if someone is co-opting their name. Users may visit the 18SGS shop, create a free account, and access their stolen credit card database. Wapack Labs filtered records and discovered thousands of credit cards belonging to numerous U.S. banks and one major home improvement store.

Wapack Labs has cataloged and reported extensively on hackers and carders in the past. An archive of related reporting can be found in the Red Sky Alliance portal.